From 6b7e3b636488dfd50c3710f703cc3f54010c185a Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sat, 7 Mar 2020 17:24:49 +0100
Subject: space_server: nftables: forward space.labitat.dk:17380 to jumbotron

---
 roles/space_server/files/nftables.conf | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'roles/space_server/files')

diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 34d56f3..5f076ed 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -2,6 +2,8 @@
 define ap1 = 10.42.0.5
 define ap2 = 10.42.0.6
 define labitat = 185.38.172.72
+define jumbotron_ip4 = 10.42.1.36
+define jumbotron_ip6 = 2a01:4262:1ab:b:ba27:ebff:fed3:c162
 
 # internal stuff
 define ext_if    = wan
@@ -108,6 +110,9 @@ table ip filter {
 		# traffic stats
 		ip saddr $labitat udp dport 161 counter accept
 
+		# jumbotron webhook
+		ip daddr $jumbotron_ip4 tcp dport 17380 counter accept
+
 		# no traffic to admin net
 		ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited
 		ip daddr $adm_net4 drop
@@ -170,6 +175,9 @@ table ip6 filter {
 		ct state established,related accept
 		ct state invalid drop
 
+		# jumbotron webhook
+		ip6 daddr $jumbotron_ip6 tcp dport 17380 counter accept
+
 		iif $wire_if ip6 saddr $wire_net6 accept
 		iif $priv_if ip6 saddr $priv_net6 accept
 		iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
@@ -187,6 +195,7 @@ table ip6 filter {
 table ip nat {
 	chain portforward {
 		ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats
+		ip daddr $ext_ip4 tcp dport 17380 dnat $jumbotron_ip4 # jumbotron webhook
 	}
 
 	chain prerouting {
@@ -210,3 +219,28 @@ table ip nat {
 		oif $ext_if ip saddr $int_net4 snat $ext_ip4
         }
 }
+
+table ip6 nat {
+	chain portforward {
+		ip6 daddr $ext_ip6 tcp dport 17380 dnat $jumbotron_ip6 # jumbotron webhook
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority -150;
+		goto portforward
+	}
+
+	chain output {
+		type nat hook output priority -150;
+		goto portforward
+	}
+
+	#chain input {
+	#	type nat hook input priority -150;
+	#	# this chain is needed to make dnat from the output chain work
+	#}
+
+	#chain postrouting {
+	#	type nat hook postrouting priority -150;
+	#}
+}
-- 
cgit v1.2.1